diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c --- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100 +++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100 @@ -12,11 +12,46 @@ #include "internal/provider.h" #include "crypto/ctype.h" +# include <sys/types.h> +# include <sys/stat.h> +# include <fcntl.h> +# include <unistd.h> +# include <openssl/evp.h> + struct ossl_lib_ctx_onfree_list_st { ossl_lib_ctx_onfree_fn *fn; struct ossl_lib_ctx_onfree_list_st *next; }; +# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + +static int kernel_fips_flag; + +static void read_kernel_fips_flag(void) +{ + char buf[2] = "0"; + int fd; + + if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + close(fd); + } + + if (buf[0] == '1') { + kernel_fips_flag = 1; + } + + return; +} + +int ossl_get_kernel_fips_flag() +{ + return kernel_fips_flag; +} + + struct ossl_lib_ctx_st { CRYPTO_RWLOCK *lock; CRYPTO_EX_DATA data; @@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte DEFINE_RUN_ONCE_STATIC(default_context_do_init) { + read_kernel_fips_flag(); return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL) && context_init(&default_context_int); } diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h --- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100 +++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100 @@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); +/* FIPS flag access */ +int ossl_get_kernel_fips_flag(void); + # ifdef __cplusplus } # endif